CN104272657A - Method and apparatus for providing tenant information for network flows - Google Patents

Method and apparatus for providing tenant information for network flows Download PDF

Info

Publication number
CN104272657A
CN104272657A CN201380023083.XA CN201380023083A CN104272657A CN 104272657 A CN104272657 A CN 104272657A CN 201380023083 A CN201380023083 A CN 201380023083A CN 104272657 A CN104272657 A CN 104272657A
Authority
CN
China
Prior art keywords
tenant
record
network
virtual switch
data record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201380023083.XA
Other languages
Chinese (zh)
Other versions
CN104272657B (en
Inventor
阿克什亚·库马尔·辛格
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Publication of CN104272657A publication Critical patent/CN104272657A/en
Application granted granted Critical
Publication of CN104272657B publication Critical patent/CN104272657B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/20Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV

Abstract

In one embodiment, a method includes generating at a network device comprising a virtual switch, a tenant record comprising tenant information for a context defined within the virtual switch, exporting the tenant record to a collector, monitoring network flow at the virtual switch, and exporting network flow data in a data record to the collector. The data record includes an identifier associating the data record with the context. An apparatus is also disclosed.

Description

For providing the method and apparatus of tenant's information to network flow
Technical field
The disclosure relates in general to communication network, more specifically, relates to and provides the tenant in cloud computing multi-tenant environment information.
Background technology
Many enterprises and service provider client are setting up privately owned cloud or public cloud.Cloud computing makes network can access the shared pool of configurable resource, and wherein, the shared pool of configurable resource can be rapidly configured by minimum management work and issue.In many tenants model, the resource of provider is gathered in comes together as multiple customer service, and different physical resources and virtual resource are dynamically allocated according to customer demand and redistribute.In cloud computing, multi-tenant environment allows multiple client to use identical public cloud.In order to provide the network planning in multi-tenant environment and safety analysis, need to monitor flow based on every tenant and needs carry out derived data for each tenant.
Accompanying drawing explanation
Fig. 1 shows the example of network, can realize embodiment described herein in the network.
Fig. 2 shows and is creating during network virtualization covers the VLAN segmentation used.
Fig. 3 describes the example that can be used for the network equipment realizing embodiment described herein.
Fig. 4 is the flow chart of the general view that the process for providing tenant's information to network flow is shown according to an embodiment.
Run through each view of accompanying drawing, corresponding reference character indicates corresponding parts.
Embodiment
general introduction
In one embodiment, a kind of method generally includes: generate tenant's record at the network equipment place comprising virtual switch, this tenant records the tenant's information comprised for the situation defined in virtual switch (context); Tenant's record is exported to gatherer; At virtual switch place monitor network stream; And the network flow data in data record is exported to gatherer.This data record comprises identifier data record and situation being carried out associating.
In another embodiment, a kind of device generally includes processor, and this processor is used for: generate tenant's record, this tenant records the tenant's information comprised for the situation defined in virtual switch; This tenant record is exported to gatherer; At virtual switch place monitor network stream; And the network flow data in data record is exported to gatherer.This data record comprises identifier data record and situation being carried out associating.This device also comprises the memory for storing tenant's information.
example embodiment
The description provided below can manufacture to make one of those of ordinary skill in the art and use embodiment.The description of specific embodiment and application is only exemplarily provided, and for a person skilled in the art, various amendment will be apparent.General Principle described herein can be applied to other application when not deviating from the scope of these embodiments.Therefore, these embodiments are not limited to shown those, but are endowed the widest scope consistent with principle described herein and feature.For clearly object, the details relevant with technologic material known in the technical field relating to these embodiments is not described in detail.
Cloud computing provides resource and service, and these resources and service are extracted from underlying infrastructure and are provided on a large scale when needs.Cloud computing is admittedly had plenty of existence and has the multiple tenants using the extensive application of cloud infrastructure as required.Support to rent the important requirement become data center, especially under the situation of data center supporting virtualized server (being called as virtual machine) more.Multiple virtual machine shares hardware resource when non-interference, can run on a single computer to make some operating system and application simultaneously.
In cloud environment, even if in network layer, each tenant and application also need logically to be isolated from each other.In many tenants implementation, flow isolation is important, to make the flow of tenant and home address use invisible to other tenants, and does not conflict mutually with the address used in data center.Traditional VLAN isolation technology may be disposed for large-scale cloud and provide enough segmentations.In order to the segmentation providing cloud to dispose scale, virtual easily extensible local area network (LAN) (VXLAN) can be used to provide network virtualization to cover.Flow in network can be separated between multiple client based on the constant of such as segment identifiers (in the situation of VXLAN) or vlan identifier and so on.
In order to monitor the suitable service to identified connection or stream, preferably follow the tracks of each network flow in large-scale server deployment.The procotol of such as NetFlow and so on can be used to collect flow (network flow) information.NetFlow service providing network manager, these network managers can access the information flowed about IP (Internet protocol) in their data network.Derive netflow data can be used to various object, such as comprise: network management and planning, enterprise's charging, ISP (ISP) book keeping operation, data warehouse, prevent denial of service (DoS) attack and data mining.In order to enable (enable) NetFlow in multi-tenant environment, need monitor flow and derive flow based on every tenant.Netflow collector also should represent data based on every tenant.Therefore, netflow collector needs the information about the tenant be associated with other situations in VXLAN segmentation or virtualized environment.
Embodiment described herein allows monitor flow based on every tenant and derive flow information (such as, netflow data) based on every tenant.As mentioned above, flow is separated between the multiple clients using the situation defined by virtual exchange environment.In one embodiment, tenant's record (such as, option template) is used to derive the peculiar information of tenant based on VLAN segment identifiers (such as, VXLAN segmentation ID) or other constants.Tenant's record provides the details about the tenant be associated with situation, and tenant's record is exported to gatherer for identifying the tenant be associated with the flow data record received at gatherer place.Because tenant's information can't frequently change, therefore, tenant's record eliminates needs tenant's information be included in each flow data record.
Referring now to accompanying drawing, first with reference to Fig. 1, show the example of network, embodiment described herein can be realized in the network.For simplicity, depict only a small amount of network element.This network can be configured to the network being used as data center or any other types.As shown in Figure 1, physical switches 10 communicates with network 15 with the network equipment (server A, server B) 12.Such as, switch 10 can be the access switch carrying out with aggregation switch or edge switch (not shown) communicating.The physical switches 10 of the arbitrary number between server 12 and network 15 can be had.Such as, multiple switch 10 can be had to provide redundancy for the traffic flow between server 12 and network 15.Network 15 can comprise one or more network (such as, local area network (LAN), metropolitan area network, wide area network, virtual private networks, enterprise network, the Internet, in-house network, radio access network, PSN (Public Switching Network) or other networks arbitrarily).Network 15 can comprise the promotion arbitrary number of data by network or the network equipment (such as, router, switch, gateway or other network equipments) of any type.
Each server 12 comprises virtual switch (being called virtual ethernet module (VEM) herein) 14 and one or more virtual machine (VM) 16.Virtual machine 16 shares hardware resource in non-interfering situation, thus multiple operating system and application can be run on a single computer simultaneously.Hardware resource is dynamically distributed to virtual machine 16 by the monitor of virtual machine of such as hypervisor (not shown) and so on.Each server 12 can comprise the virtual machine 16 of arbitrary number, and these virtual machines can be moved between servers based on flow rate mode, hardware resource or other standards.Such as, server 12 can be that blade server, rack-mount server maybe can operate with the network equipment of any other types of hosts virtual machine 16.Such as, server 12 can hosts application server or remotely trustship use at end user device (terminal station, client device) (not shown) place virtual machine application.
Virtual machine 16 communicates with virtual switch 14 via virtual network interface card (VNIC), and VNIC is connected to the Virtual Ethernet at virtual switch place.Server 12 comprises the ethernet port for each physical network interface card.Ethernet port can be polymerized at port channel place.Virtual switch 14 communicates with network 15 via physics Ethernet interface.Virtual switch 14 is switching traffic between virtual machine 16 and physical network interface card.
Physical switches 10 also communicates with virtual hypervisor module (VSM) 18.VSM18 can be arranged in and carry out via physical switches 10 and server 12 physical unit that communicates, or VSM can be mounted in the virtual bench (such as, virtual machine) in server 12 or network on one of another server.VSM 18 is configured to as virtual machine 16 provides chain of command (plane) function.Virtual switch 14 provides exchange capacity at server 12 place, and operates as the data surface be associated with the chain of command of VSM 18.VSM 18 operates to be formed and carries out by management station's (not shown) the distributed virtual switch (DVS) checked together with virtual switch (VEM) 14.Such as, distributed virtual switch can be the cisco systems company available Nexus 1000V series of switch from San Jose.Such as, management station can comprise such as from the virtual management platform of the VMware of Palo Alto, California available VMware virtual center management station and so on.
Should be appreciated that to be example with distributed virtual switch described above shown in Fig. 1, and embodiment described herein can realize in other virtual switches.Term as used herein " virtual switch " can refer to distributed virtual switch (such as, VEM 14 and VSM18) or other virtual switches, these other virtual switches can operate switching traffic between other network equipments in the virtual machine or virtualized server environment at the network equipment (such as, physical switches, router, gateway) and server place.
As shown in Figure 1, network flow 21 is exchanged between subscriber equipment and server 12 by network 15.Stream 21 comprises a series of groupings with predicable, and these groupings are by the network equipment 12.Such as, stream can define based on source IP address, IP address, destination, IP agreement, source port and destination port.Each independent stream can be monitored, the statistics (such as, flowing time started and the grouping number etc. flowing the end time, be sent out) that each stream is safeguarded.
Stream is monitored by the VEM 14 of each server 12, and stream is stored in place's buffer memory (such as, NetFlow buffer memory) 24 of these servers.Each process line card of the VEM 14 at back-level server 12 place collects the stream statistics by the stream of line card.As mentioned above, distributed exporter model can be used directly to derive flow data from each VEM 14, or VEM 14 can by the transfer of data of accumulation in its buffer memory 24 to VSM 18, and VSM use single source exporter model to derive flow data.
In distributed exporter model, exporter 26 is arranged in VEM 14 (as Fig. 1 illustrates at server A place) place.Support that its oneself buffer memory 24 is directly exported to gatherer 20 by each line card of VEM 14, and limited being provided by VSM 18 for the Manager Feature of deriving is be provided.
In single source exporter model, stream statistics is stored in the buffer memory 24 at VEM 14 place, and is transferred to the exporter 26 (server B in FIG and VSM place illustrate) at VSM 18 place.When stream statistics derived by needs, data are routed to VSM18 by from VEM 14.Then flow data is exported to gatherer 20 by from VSM 18.
Derivation grouping is transferred to gatherer 20 by exporter 26.As described in detail later, derive grouping and comprise tenant's record (such as, template, option template) 25 and flow data record 28.Tenant records 25 and comprises for the tenant's information in the interior situation (such as, VLAN segmentation (VXLAN)) defined of virtual switch (such as, distributed virtual switch, multiple distributed virtual switch).
Tenant record 25 can stream beginning periodically, as required or its combination in any be exported to gatherer 20.Such as, tenant records 25 and in the grouping specified number or can be exported after the time period.Interval can be default value can be maybe configurable.
Tenant is recorded 25 and data record 28 export to gatherer 20 such as User Datagram Protoco (UDP) (UDP) or SCTP (SCTP) can be used to realize as transmission mechanism.
Gatherer (data collection facility) 20 receives data (tenant record 25, flow data record 28) from one or more exporter 26 and processes these data.Gatherer 20 receives and stores tenant and records 25 and flow data record 28.Stream record 28 (such as, according to tenant) can be aggregated before being stored in gatherer 20.Received once tenant records 25 by gatherer 20, then segmentation ID (or other identifiers) is used for the flow information received from exporter 26 to map to concrete tenant by gatherer.Such as, gatherer 20 can use tenant to record the information received in 25 to carry out decoded stream data record 28, and data record is mapped to tenant.The stream statistics being exported to gatherer 20 by exporter 26 is analyzed by analyzer 22.Analyzer 22 can process the network flow information used by application (such as, based on using charging, traffic engineering, attack/intrusion detection, quality of service monitor etc.).The statistics analyzed can by network manager for providing the information about network capacity and stream, and for solving any network defective.
In one embodiment, buffer memory 24, exporter 26 and gatherer 20 are NetFlow buffer memory, NetFlow exporter and netflow collector respectively.The term " NetFlow " that the application uses refers to the agreement of the feature for monitor network stream.Should be appreciated that this is example, and other agreements that such as Internet protocol stream information derives (IPFIX) and so on can be used to collect flow information and the feature of monitor network stream.The exporter 26 of arbitrary number or type, gatherer 20 or analyzer 22 can be used.In addition, gatherer 20 and analyzer 22 can be positioned at identical network equipment place.
Should be appreciated that to be example with network described herein shown in Fig. 1, and these embodiments can realize in the network with heterogeneous networks topology or the network equipment when not deviating from the scope of these embodiments.
As noted above, the example set forth in Fig. 1 comprises a small amount of network element.Infrastructure for service cloud computing environment can have a large amount of tenant, and each tenant has its oneself application.Each tenant needs the logical network of isolating with every other tenant.Each application from tenant also may need its oneself logical network so that itself and other application is isolated.In one embodiment, VXLAN segmentation is used to allow logical network to expand between the virtual machine being placed in the different second layer (Layer 2) territory.VXLAN provides the second layer on third layer (Layer 3) network to cover scheme.Each covering is called as VXLAN segmentation.The virtual machine 16 in identical VXLAN segmentation is only had to intercom mutually.VXLAN provides the second layer abstract to virtual machine 16, and no matter virtual machine 16 is positioned at where.Therefore, VXLAN segmentation is VXLAN second layer overlay network, and virtual machine 16 is communicated by this VXLAN second layer overlay network.
In one embodiment, each virtual machine 16 is assigned with an IP address, and when encapsulation MAC (media interviews control) frame is by when network 15 is sent out, this IP address is used as source IP address.VEM 14 encapsulates the second layer frame received from virtual machine 16.VXLAN identifier is carried in this encapsulation.The VXLAN connected can be designated in (below be described) port profile (profile), and be employed when virtual machine 16 is connected to network.
Identical VXLAN can be configured on one or more distributed virtual switch and cover to create network virtualization.Therefore, can have the multiple servers 12 supporting multiple virtual machine 16, these virtual machines 16 comprise the one or more interfaces be associated with VLAN or the VLAN segmentation of (as shown in Figure 2 and below described by) heterogeneous networks position separately.Such as, client or business unit are (such as, research and development, company, finance) different VXLAN segmentations can be assigned with, these VXLAN segmentations are used in the various positions (such as, Los Angeles Division, San Francisco general headquarters, Seattle branch) of carrying out with data center communicating.Tenant records 25 and is used to provide the details about the tenant relevant with VXLAN segmentation.This allows gatherer 20 to represent flow data based on every tenant.
Fig. 2 illustrates the VXLAN segmentation that virtual switch 14 place covers for network virtualization.In the illustrated example shown in fig. 2, virtual machine 16 comprises the interface be associated with VLAN 44, VXLAN 4400 and VXLAN4401.Use the client of different segmentation or apply mutually isolated.Such as, the client being used in the virtual machine 16 VLAN 44 and VXLAN 4400 with interface directly can not access the server at the virtual machine place on VXLAN 4401 with interface.
Should be appreciated that above-mentioned VLAN fragmentation technique is example, and tenant can be associated with another situation defined in virtual exchange environment.
Referring again to Fig. 1, distributed virtual switch place (such as, VEM 14 place or VSM 18 place) exporter 26 derive tenant and record 25, tenant records 25 and is used to provide tenant peculiar information based on situation identifier (such as, the segmentation ID of VXLAN or other constants).Tenant record 25 be sent to gatherer 20 after, exporter 26 sends the flow information in flow data record 28.Flow data record 28 comprises the stream statistics and situation ID that are associated with stream.Gatherer 20 be used in tenant record in 25 obtain information stream record is mapped to concrete tenant.
As described below, tenant records 25 and comprises identifier (such as, VXLAN ID (24 lan segment identifiers), VLAN ID or other situation ID), this identifier is also included in flow data record 28 so that flow data is mapped to concrete tenant.In one embodiment, in port profile, this identifier is defined.Port profile is used to define the container for the total group configuration strategy (attribute) of multiple interface.Port profile is associated with port arrangement strategy, and these port arrangement strategies are defined by network manager, and is automatically applied to a large amount of port when these port arrangement strategies are reached the standard grade in virtual environment.Port profile allows single strategy or identifier to be applied on a large amount of port, and supports the static mappings to port and dynamic mapping.
Tenant records 25 and such as can comprise: segmentation ID, tenant's Name and Description, position, distributed virtual switch identifier (title, position) and bridge domain.Tenant records 25 and can also be used to provide such as about the additional information of the details and so on of interface index (such as, interface name, interface describe), or definition is for the data format of the one or more data record flowed in the data record that sends.Preferably generate different tenant for different situation and record 25.Such as, each tenant records 25 and can be associated from different VXLAN segmentation.Such as, tenant records 25 and can be transmitted in NetFlow grouping, and this NetFlow grouping comprises packet header and comprises one or more fields of one or more tenant record.This grouping can also comprise one or more flow data record 28.
In one embodiment, tenant records 25 is NetFlow template or option template.Be to be understood that, term as used herein " template " can refer to can transfer to gatherer 20 to provide the peculiar information of tenant and the arbitrary data collection that can be transmitted with any suitable format (data such as, in one or more grouping field) from exporter 26.
When determining stream end or at periodic intervals place, flow data record 28 can be exported.Stream record 28 comprises about to the information of the flow in constant current, such as comprise: the measurement attribute of stream (such as, grouping and byte count are (such as, the sum of the byte of the grouping of all stream)), the characteristic attribute (such as, source IP address, agreement, COS, application port, input and output interface) of timestamp and stream.More specifically, flow data record 28 such as can comprise: viewed byte number and grouping number, third layer head (source IP address and IP address, destination, source port number and destination port numbers, IP agreement) and third layer routing iinformation in the timestamp of situation identifier, input interface index, output interface index, stream time started and end time, stream.
In one embodiment, tenant record 25 and flow data record 28 NetFlow derive grouping in be exported.Derive that grouping comprises that packet header (comprising grouping information) and one or more tenant record 25, one or more data record 28 or its combine.Such as, derive grouping can comprise and record the collection of 28 or the collection (be called adfluxion close (flowset)) of convection current record 25 to tenant.
Should be appreciated that tenant described above records 25 and the content of flow data record 28 and form is example, and these records can comprise more, less or different information when not deviating from the scope of these embodiments.
Fig. 3 illustrates the example of the network equipment 30 (such as, server, device) that may be used for the embodiment realized described by the application.In one embodiment, the network equipment 30 is the programmable machines that can realize in hardware, software or its combination in any.The network equipment 30 comprises one or more processor 32, memory 34, network interface 36 and exporter 26.
Exporter 26 comprises tenant and records maker and data record generator (such as, can operate to generate the logic that tenant records 25 and flow data record 28).Exporter 26 such as can comprise: fixed logic or FPGA (Field Programmable Gate Array) (software/computer instruction such as, performed by processor 32).
Memory 34 can be store various application, operating system, module and data perform for processor 32 and the volatile memory that uses or non-volatile memory device.Such as, memory 34 can store exporter processing logic.
Logic can be coded in one or more tangible medium and perform for processor 32.Such as, processor 32 can perform the code in the computer-readable medium being stored in such as memory 34 and so on.Such as, computer-readable medium can be such as electronic media (such as, RAM (random access memory), ROM (read-only memory), EPROM (Erasable Programmable Read Only Memory EPROM)), magnetizing mediums, light medium (such as, CD, DVD), electromagnetic medium, semiconductor technology medium or other suitable media arbitrarily.
Network interface 36 can comprise for receiving data or sending data to the interface (such as, line card, network interface unit, port) of arbitrary number of other equipment.
To should be appreciated that shown in Fig. 3 and the network equipment 30 described above is example, and the difference of the network equipment can be used to configure.Such as, the network equipment 30 can also comprise the combination that hardware, software, algorithm, processor, equipment, parts maybe can operate any appropriate of the element promoting ability described herein.
Fig. 4 is the flow chart that the process for providing tenant's information to network flow is shown according to an embodiment.In step 40 place, exporter 26 generates tenant for each VXLAN segmentation or other situations of defining in virtual machine and records 25.As previously mentioned, for example, tenant records 25 and comprises the peculiar information of tenant based on segmentation ID.As described in reference to Figure 1, exporter 26 operates at distributed virtual switch place, and can be positioned at server 12 (at virtual switch 14 place) or device 18 (at virtual manager module place) place.Tenant records 25 and is exported to gatherer 20 (step 42).Distributed virtual switch monitor network stream, and collect the network flow data (step 44) by the network flow of the network equipment.Such as, monitoring can comprise the network flow at monitoring VEM 14 place or collect the network flow data at VSM 18 place.Can flow into due to stream or flow out the network equipment, therefore, safeguarding statistics for inflow flow or outflow flow.Network flow information (step 46) in network equipment derived data record 28.
Data record 28 comprises identifier data record and situation being carried out associating.As mentioned above, identifier such as can comprise segmentation ID data record 28 and VXLAN segmentation being carried out associating.The tenant comprising same segment ID records tenant's specifying information that 25 provide this VXLAN segmentation.For example, network flow information can as network flow record packed enter grouping in transmit.Data flow record 28 can be transmitted at the end of network flow or at periodic intervals place.Gatherer 20 is used in tenant and records the information received in 25 and associated with tenant by the flow data received in data record 28.
Should be appreciated that to be example with above-described process shown in Fig. 4, and can increase, revise or rearrange these steps when not deviating from the scope of embodiment.Such as, tenant records 25 can until the network equipment have collected at least some network flow information is just exported to gatherer 20, or tenant records 25 and can be transmitted together with data record 28.
Although describe methods, devices and systems according to shown embodiment, one of those of ordinary skill in the art can make change when not deviating from these embodiments by being easy to recognize.Therefore, what specification above comprised should be interpreted as on illustrative instead of limited significance with all things shown in accompanying drawing.

Claims (20)

1. a method, comprising:
Generate tenant's record at the network equipment place comprising virtual switch, described tenant records the tenant's information comprised for the situation defined in described virtual switch;
Described tenant's record is exported to gatherer;
At described virtual switch place monitor network stream; And
Network flow data in data record is exported to described gatherer;
Wherein, described data record comprises the identifier described data record and described situation being carried out associating.
2. the method for claim 1, wherein described situation comprises VLAN segmentation.
3. the method for claim 1, wherein described tenant's record comprises network flow option template.
4. the method for claim 1, wherein described tenant's record is configured to use at described gatherer place described data record to be mapped to the tenant be associated with described situation.
5. the method for claim 1, wherein described identifier comprises virtual easily extensible local network segment identifier.
6. the method for claim 1, wherein described tenant's record comprises tenant identifier.
7. the method for claim 1, wherein described tenant's record comprises described network equipment position in a network.
8. the method for claim 1, wherein described virtual switch comprises distributed virtual switch, and described tenant record comprises distributed virtual switch identifier.
9. the method for claim 1, wherein derive described tenant record and derive described data record and comprise use NetFlow agreement.
10. a device, comprising:
Processor, described processor is used for: generate tenant's record, described tenant records the tenant's information comprised for the situation defined in virtual switch; Described tenant's record is exported to gatherer; At described virtual switch place monitor network stream; And the network flow data in data record is exported to described gatherer; And
Memory, described memory is for storing described tenant's information;
Wherein, described data record comprises the identifier described data record and described situation being carried out associating.
11. devices as claimed in claim 10, wherein, described situation comprises VLAN segmentation.
12. device as claimed in claim 10, wherein, described tenant's record comprises network flow option template.
13. devices as claimed in claim 10, wherein, described tenant's record is configured to use at described gatherer place described data record to be mapped to the tenant be associated with described situation.
14. devices as claimed in claim 10, wherein, described identifier comprises virtual easily extensible local network segment identifier.
15. devices as claimed in claim 10, wherein, described tenant's record comprises tenant identifier.
16. devices as claimed in claim 10, wherein, described tenant records the position comprised in a network.
17. devices as claimed in claim 10, wherein, described virtual switch comprises distributed virtual switch, and described tenant record comprises distributed virtual switch identifier.
18. devices as claimed in claim 10, wherein, described tenant's record and described data record are used NetFlow agreement to derive.
19. 1 kinds of logics be coded in for execution on one or more tangible computer computer-readable recording medium, can operate when described logic is performed to perform following operation:
Generate tenant's record at the network equipment place comprising virtual switch, described tenant records the tenant's information comprised for the situation defined in described virtual switch;
Described tenant's record is exported to gatherer;
At described virtual switch place monitor network stream; And
Network flow data in data record is exported to described gatherer;
Wherein, described data record comprises the identifier described data record and described situation being carried out associating.
20. logics as claimed in claim 19, wherein said situation comprises VLAN segmentation.
CN201380023083.XA 2012-05-01 2013-04-24 Method and apparatus for providing from tenant's information to network flow Active CN104272657B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/461,667 US9407450B2 (en) 2012-05-01 2012-05-01 Method and apparatus for providing tenant information for network flows
US13/461,667 2012-05-01
PCT/US2013/038072 WO2013165785A1 (en) 2012-05-01 2013-04-24 Method and apparatus for providing tenant information for network flows

Publications (2)

Publication Number Publication Date
CN104272657A true CN104272657A (en) 2015-01-07
CN104272657B CN104272657B (en) 2018-03-27

Family

ID=48289691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201380023083.XA Active CN104272657B (en) 2012-05-01 2013-04-24 Method and apparatus for providing from tenant's information to network flow

Country Status (4)

Country Link
US (1) US9407450B2 (en)
EP (1) EP2845350B1 (en)
CN (1) CN104272657B (en)
WO (1) WO2013165785A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330602A (en) * 2016-08-22 2017-01-11 中国科学院信息工程研究所 Method and system for monitoring cloud computing virtual tenant network
CN106603346A (en) * 2017-02-07 2017-04-26 佛山易识科技有限公司 Network quality testing tool based on virtual extensible LAN
CN110945838A (en) * 2017-07-24 2020-03-31 思科技术公司 System and method for providing scalable flow monitoring in a data center structure

Families Citing this family (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8250357B2 (en) 2000-09-13 2012-08-21 Fortinet, Inc. Tunnel interface for securing traffic over a network
US7720095B2 (en) 2003-08-27 2010-05-18 Fortinet, Inc. Heterogeneous media packet bridging
US8775599B2 (en) 2012-06-19 2014-07-08 Microsoft Corporation Multi-tenant middleware cloud service technology
US9210079B2 (en) 2012-08-14 2015-12-08 Vmware, Inc. Method and system for virtual and physical network integration
US9008085B2 (en) * 2012-08-15 2015-04-14 International Business Machines Corporation Network interface card having overlay gateway functionality
US10511497B2 (en) 2012-10-04 2019-12-17 Fortinet, Inc. System and method for dynamic management of network device data
US9049115B2 (en) * 2012-12-13 2015-06-02 Cisco Technology, Inc. Enabling virtual workloads using overlay technologies to interoperate with physical network services
US10355930B2 (en) * 2013-03-14 2019-07-16 Fortinet, Inc. System and method of subnetting a virtual network identifier
US9407519B2 (en) * 2013-03-15 2016-08-02 Vmware, Inc. Virtual network flow monitoring
US9910686B2 (en) 2013-10-13 2018-03-06 Nicira, Inc. Bridging between network segments with a logical router
US9300580B2 (en) 2013-12-19 2016-03-29 International Business Machines Corporation Virtual machine network controller
US9794128B2 (en) * 2013-12-30 2017-10-17 International Business Machines Corporation Overlay network movement operations
US9893988B2 (en) 2014-03-27 2018-02-13 Nicira, Inc. Address resolution using multiple designated instances of a logical router
US10177936B2 (en) 2014-03-28 2019-01-08 International Business Machines Corporation Quality of service (QoS) for multi-tenant-aware overlay virtual networks
US9893964B2 (en) * 2014-04-28 2018-02-13 Nicira, Inc. System for aggregating statistics relating to a logical forwarding element
US9893983B2 (en) 2014-04-28 2018-02-13 Nicira, Inc. Network virtualization operations using a scalable statistics collection framework
US9515931B2 (en) 2014-05-30 2016-12-06 International Business Machines Corporation Virtual network data control with network interface card
US9515933B2 (en) * 2014-05-30 2016-12-06 International Business Machines Corporation Virtual network data control with network interface card
US9742881B2 (en) 2014-06-30 2017-08-22 Nicira, Inc. Network virtualization using just-in-time distributed capability for classification encoding
US10079694B2 (en) * 2014-08-29 2018-09-18 Nokia Of America Corporation Scalable virtual networks in SDN-based ethernet networks using VLANs
US10250443B2 (en) 2014-09-30 2019-04-02 Nicira, Inc. Using physical location to modify behavior of a distributed virtual network element
US10511458B2 (en) 2014-09-30 2019-12-17 Nicira, Inc. Virtual distributed bridging
US9954736B2 (en) 2014-12-01 2018-04-24 Fortinet, Inc. System and method of discovering paths in a network
US10193783B2 (en) 2014-12-31 2019-01-29 Nicira, Inc. System for aggregating statistics associated with interfaces
US10628388B2 (en) 2015-04-01 2020-04-21 International Business Machines Corporation Supporting multi-tenant applications on a shared database using pre-defined attributes
US10361952B2 (en) 2015-06-30 2019-07-23 Nicira, Inc. Intermediate logical interfaces in a virtual distributed router environment
US9979557B2 (en) * 2015-08-10 2018-05-22 Hughes Network Systems, Llc Carrier grade Ethernet layer 2 over layer 3 satellite backbones (L2oL3SB)
US9967178B1 (en) * 2015-12-15 2018-05-08 Juniper Networks, Inc. Flow record size reduction
CN105791142B (en) * 2016-03-10 2019-03-26 盛科网络(苏州)有限公司 A kind of labeling method of TAP message
WO2017155545A1 (en) * 2016-03-11 2017-09-14 Tektronix Texas, Llc. Timestamping data received by monitoring system in nfv
WO2017173142A1 (en) * 2016-03-31 2017-10-05 Alibaba Group Holding Limited Interworking between physical network and virtual network
US10193749B2 (en) 2016-08-27 2019-01-29 Nicira, Inc. Managed forwarding element executing in public cloud data compute node without overlay network
US10333959B2 (en) 2016-08-31 2019-06-25 Nicira, Inc. Use of public cloud inventory tags to configure data compute node for logical network
US10491516B2 (en) 2017-08-24 2019-11-26 Nicira, Inc. Packet communication between logical networks and public cloud service providers native networks using a single network interface and a single routing table
US10567482B2 (en) 2017-08-24 2020-02-18 Nicira, Inc. Accessing endpoints in logical networks and public cloud service providers native networks using a single network interface and a single routing table
US10778579B2 (en) 2017-08-27 2020-09-15 Nicira, Inc. Performing in-line service in public cloud
US10374827B2 (en) 2017-11-14 2019-08-06 Nicira, Inc. Identifier that maps to different networks at different datacenters
US10511459B2 (en) 2017-11-14 2019-12-17 Nicira, Inc. Selection of managed forwarding element for bridge spanning multiple datacenters
US10601705B2 (en) 2017-12-04 2020-03-24 Nicira, Inc. Failover of centralized routers in public cloud logical networks
US10862753B2 (en) 2017-12-04 2020-12-08 Nicira, Inc. High availability for stateful services in public cloud logical networks
US11296960B2 (en) 2018-03-08 2022-04-05 Nicira, Inc. Monitoring distributed applications
US11343229B2 (en) 2018-06-28 2022-05-24 Vmware, Inc. Managed forwarding element detecting invalid packet addresses
US10938685B2 (en) * 2018-07-24 2021-03-02 Cisco Technology, Inc. Secure traffic visibility and analytics for encrypted traffic
US11196591B2 (en) 2018-08-24 2021-12-07 Vmware, Inc. Centralized overlay gateway in public cloud
US11374794B2 (en) 2018-08-24 2022-06-28 Vmware, Inc. Transitive routing in public cloud
US10491466B1 (en) 2018-08-24 2019-11-26 Vmware, Inc. Intelligent use of peering in public cloud
US11743135B2 (en) 2019-07-23 2023-08-29 Vmware, Inc. Presenting data regarding grouped flows
US11340931B2 (en) 2019-07-23 2022-05-24 Vmware, Inc. Recommendation generation based on selection of selectable elements of visual representation
US11349876B2 (en) 2019-07-23 2022-05-31 Vmware, Inc. Security policy recommendation generation
US11436075B2 (en) 2019-07-23 2022-09-06 Vmware, Inc. Offloading anomaly detection from server to host
US11398987B2 (en) 2019-07-23 2022-07-26 Vmware, Inc. Host-based flow aggregation
US11288256B2 (en) 2019-07-23 2022-03-29 Vmware, Inc. Dynamically providing keys to host for flow aggregation
US11321213B2 (en) 2020-01-16 2022-05-03 Vmware, Inc. Correlation key used to correlate flow and con text data
US11785032B2 (en) 2021-01-22 2023-10-10 Vmware, Inc. Security threat detection based on network flow analysis
US11831667B2 (en) 2021-07-09 2023-11-28 Vmware, Inc. Identification of time-ordered sets of connections to identify threats to a datacenter
US11792151B2 (en) 2021-10-21 2023-10-17 Vmware, Inc. Detection of threats based on responses to name resolution requests

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510843A (en) * 2009-02-24 2009-08-19 陈鸣 Method for real time separation of P2P flow based on NetFlow flow
US20100054151A1 (en) * 2008-08-26 2010-03-04 International Business Machines Corporation System and method for network flow traffic rate encoding
US20100188976A1 (en) * 2009-01-26 2010-07-29 Rahman Shahriar I Dynamic Management of Network Flows
CN102142971A (en) * 2010-01-29 2011-08-03 新奥特(北京)视频技术有限公司 Monitoring system and monitoring method for realizing subscription-collection mechanism

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7636305B1 (en) 2005-06-17 2009-12-22 Cisco Technology, Inc. Method and apparatus for monitoring network traffic
US8156233B2 (en) 2007-04-06 2012-04-10 Cisco Technology, Inc. Streaming of templates and data records in individual streams using a multistream protocol
US7787379B2 (en) 2008-06-03 2010-08-31 Cisco Technology, Inc. Integrated flow control
US8345692B2 (en) 2010-04-27 2013-01-01 Cisco Technology, Inc. Virtual switching overlay for cloud computing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100054151A1 (en) * 2008-08-26 2010-03-04 International Business Machines Corporation System and method for network flow traffic rate encoding
US20100188976A1 (en) * 2009-01-26 2010-07-29 Rahman Shahriar I Dynamic Management of Network Flows
CN101510843A (en) * 2009-02-24 2009-08-19 陈鸣 Method for real time separation of P2P flow based on NetFlow flow
CN102142971A (en) * 2010-01-29 2011-08-03 新奥特(北京)视频技术有限公司 Monitoring system and monitoring method for realizing subscription-collection mechanism

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330602A (en) * 2016-08-22 2017-01-11 中国科学院信息工程研究所 Method and system for monitoring cloud computing virtual tenant network
CN106330602B (en) * 2016-08-22 2019-10-25 中国科学院信息工程研究所 A kind of virtual tenant network monitoring method of cloud computing and system
CN106603346A (en) * 2017-02-07 2017-04-26 佛山易识科技有限公司 Network quality testing tool based on virtual extensible LAN
CN110945838A (en) * 2017-07-24 2020-03-31 思科技术公司 System and method for providing scalable flow monitoring in a data center structure
CN110945838B (en) * 2017-07-24 2023-01-13 思科技术公司 System and method for providing scalable flow monitoring in a data center structure

Also Published As

Publication number Publication date
EP2845350A1 (en) 2015-03-11
WO2013165785A1 (en) 2013-11-07
CN104272657B (en) 2018-03-27
EP2845350B1 (en) 2019-07-17
US20130297768A1 (en) 2013-11-07
US9407450B2 (en) 2016-08-02

Similar Documents

Publication Publication Date Title
CN104272657A (en) Method and apparatus for providing tenant information for network flows
CN104253770B (en) Realize the method and apparatus of the distributed virtual switch system
CN107852365B (en) Method and apparatus for dynamic VPN policy model
US9658876B2 (en) Location-aware virtual service provisioning in a hybrid cloud environment
CN109561108B (en) Policy-based container network resource isolation control method
CN104718723B (en) For the networking in virtual network and the frame of security service
CN105684365B (en) Network control of network functions using software defined flow mapping and virtualization
KR101718374B1 (en) Network function virtualization for a network device
CN102255903B (en) Safety isolation method for virtual network and physical network of cloud computing
CN102082690B (en) Passive finding equipment and method of network topology
CN103930882B (en) The network architecture with middleboxes
US11178594B2 (en) Systems and methods for routing data
WO2018157299A1 (en) Virtualization method for optical line terminal (olt) device, and related device
EP3823211A1 (en) Network slice control method and apparatus, and computer readable storage medium
US20120063363A1 (en) Method to Pass Virtual Local Area Network Information in Virtual Station Interface Discovery and Configuration Protocol
CN105391815B (en) internet IP address resource acquisition and centralized management method
CN102821023B (en) A kind of method and device of VLAN configuration dynamic migration
CN105429870A (en) VXLAN security gateway device and application method thereof in SDN
CN113867884B (en) Method and system for computer network and storage medium
CN103973673B (en) The method and apparatus for dividing virtual firewall
CN106155264A (en) The computer approach of the power consumption of management storage subsystem and computer system
CN106055067A (en) Server system and method for enhancing memory error tolerance of server system
CN112956158A (en) Structured data plane monitoring
CN110191042B (en) Message forwarding method and device
US9755854B2 (en) Tag conversion apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant